b' INFORMATION TECHNOLOGY\nMANAGEMENT IN ENFORCEMENT\n                     EXECUTIVE SUMMARY\nWe found that the Division of Enforcement\xe2\x80\x99s (Enforcement or the Division)\ninformation technology (IT) management was generally adequate. However, the\nDivision needs to issue additional guidance to ensure a sound IT program. During\nour review, the Division and the Office of Administrative Services (OAS) developed\nprocedures for preventing and resolving physical security incidents at the Division\xe2\x80\x99s\nforensics lab.\nTo enhance the Division\xe2\x80\x99s IT management, we are recommending that it prepare an\nIT plan and document its procedures for IT management, major initiatives (such as\nthe document imaging project), and security management.\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nOur audit objective was to evaluate the Division of Enforcement\xe2\x80\x99s IT management to\ndetermine if it was adequate and in compliance with applicable guidelines. During\nthe review, we analyzed relevant IT documentation, interviewed Division, OAS and\nOffice of Information Technology (OIT) staff, and observed the Division\xe2\x80\x99s IT\noperations. The specific areas of review were:\n   \xc2\x83   General IT management;\n   \xc2\x83   IT security management;\n   \xc2\x83   Staff IT training; and\n   \xc2\x83   IT policies, standards and guidelines.\nWe used selected best practices and standard IT controls (Control Objectives for\nInformation and related Technology or COBIT) to perform this review.\nWe conducted this performance audit from September 2005 to August 2006 in\naccordance with Generally Accepted Government Auditing Standards. Those\nstandards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence that provides a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\x0c                                                                                       2\n\n\n\n                                BACKGROUND\nThe Office of Information Technology has overall responsibility for Commission IT\nmanagement. OIT\xe2\x80\x99s duties include application development, infrastructure\noperations and engineering, user support, IT program management, capital\nplanning, security, and enterprise architecture.\nOver time, the program offices have gradually assumed significant IT\nresponsibilities, staff, and funding. In particular, the Division of Enforcement has a\nrelatively large IT program, using both employees and contractors.\nEnforcement\xe2\x80\x99s management views IT as a vital tool in accomplishing its mission. In\nsupport of its investigations, Enforcement uses data analysis and mining tools,\nimages evidentiary documents, and extracts files from electronic media.\nThe Division has established an Office of Technical Services to handle its IT\nrequirements. This Office is composed of three branches: Technical Consulting and\nAnalytical Services, Litigation Support, and IT Forensics.\nThe Technical Consulting and Analytical Services Branch principally focuses on e-\nmail, system back-ups, and database issues related to investigations. The Litigation\nSupport Branch images evidentiary records and performs other IT-related duties in\nsupport of Enforcement litigation. The IT Forensics Branch\xe2\x80\x99s primary function is to\nextract active and deleted files from electronic media (e.g., hard drives, personal\ndigital assistants).\n\n\n\n                               AUDIT RESULTS\nWe found that Enforcement IT management was generally adequate. However, the\nDivision needs to issue additional guidance to ensure a sound IT program, including\nan IT plan and procedures for IT management, major initiatives, and security\nmanagement. Our detailed findings and recommendations are presented below.\n\n\nIT PLAN AND PROCEDURES\nEnforcement has not yet prepared a formal IT plan, since its Office of Technical\nServices is relatively new (established in 2005). Also, Enforcement noted that its\nparticipation in the Commission\xe2\x80\x99s capital planning process acts as a planning tool.\nHowever, a formal IT plan would help define Enforcement\xe2\x80\x99s current and future IT\nneeds in relation to the Division\xe2\x80\x99s strategic goals, and describe the required steps\nand timeframes for meeting those needs.\nEnforcement currently has few written procedures for its IT management, both for\nday-to-day operations and major initiatives (such as the document imaging project).\nWritten procedures would help Enforcement control and standardize its IT program,\nespecially for forensics and document imaging. The documentation would serve as a\nreference (particularly for new staff) and help ensure consistent implementation of\nEnforcement initiatives.\n\n\nIT Management in Enforcement (Audit No. 405)                          November 14, 2006\n\x0c                                                                                         3\n\n\n        Recommendation A\n        The Division of Enforcement should prepare a short and long-term IT plan.\n\n\n        Recommendation B\n        The Division of Enforcement should develop written procedures for its IT\n        management and major IT initiatives.\n\n\nSECURITY MANAGEMENT\nWe found that the Division\xe2\x80\x99s IT security management can be improved. While the\nDivision has an informal process in place, it does not have written procedures\ncovering its responsibilities for IT security (OIT has responsibility for most\nCommission IT security). Such procedures would describe Enforcement\xe2\x80\x99s approach\nto security and provide guidance to its IT staff.\nIn this regard, certain Division security practices need improvement. For example,\nEnforcement has not defined which staff are authorized to request IT system\nchanges of OIT. Also, Enforcement did not have sufficient back-up staff to support\none of its web servers. These conditions could result in inappropriate system\nchanges or web server issues not being resolved timely.\n\n\n        Recommendation C\n        The Division of Enforcement should develop written procedures describing its\n        IT security management, including system changes and staff support for\n        systems.\n\n\nFORENSICS LAB PHYSICAL SECURITY\nEnforcement indicated that physical security could be an issue for its IT forensics\nlab. Its access records for the lab showed that it had been entered by an unidentified\nperson who had bypassed Enforcement\xe2\x80\x99s normal entry procedures.\nThe Office of Administrative Services reviewed this issue, and found that an\nauthorized employee in its physical security group had entered the lab. However,\nOAS did not provide this information to Enforcement. Enforcement is currently\ntrying to get the forensics lab accredited, so it needs information on any possible\nunauthorized access.\nDuring the audit, we suggested that OAS develop procedures to ensure that (1) its\nstaff follows Enforcement\xe2\x80\x99s procedures for access to the IT forensics lab, and (2) it\ninforms Enforcement of the results of its review of physical security incidents at the\nlab.\nBefore we issued this report, OAS and Enforcement jointly developed procedures\nwhich adequately addressed physical security within the forensics lab. Accordingly,\nwe are not making a recommendation on this issue.\n\n\nIT Management in Enforcement (Audit No. 405)                           November 14, 2006\n\x0c'